Hello,
I am new to the list and did not practice policy routing yet,
but I have browse the archive, search google and read some howto.
But most problem solving stuff I have found seems routing oriented,
where in my case "I want NO routing at all"... ;-)
1) I want to "simulate" multiple server within one.
2) Each virtual server need to have a separate physical or logical ethernet.
3) Each server also need to have a separate routing table, address and mask.
I would like to archive the best logical separation possible.
Here is what I'm trying to accomplish in ASCII art...
The PHYSICAL view: (no eth0 to simplify)
+--------------------------+
| Super linux server |
|VM1 VM2 VM3 |
|eth1 eth2 eth3|
+-+----------+----------+--+
1.1.1.1 | 2.2.2.2 | 3.3.3.3 |
| | |
v v v
1.1.1.9 | 2.2.2.9 | 3.3.3.9 |
+---+----+ +---+----+ +---+----+
| Router | | Router | | Router |
+--------+ +--------+ +--------+
\ | /
\ + /
\__/ \__/
/ \
("network")
\_ _ _/
\/ \/
The LOGICAL view:
+-----+ +-----+ +-----+
| Ser | | Ser | | Ser |
| ver | | ver | | ver |
| N°1 | | N°2 | | N°3 |
+--+--+ +-----+ +-----+
1.1.1.1 | 2.2.2.2 | 3.3.3.3 |
| | |
v v v
1.1.1.9 | 2.2.2.9 | 3.3.3.9 |
+---+----+ +---+----+ +---+----+
| Router | | Router | | Router |
+--------+ +--------+ +--------+
\ | /
\ + /
\__/ \__/
/ \
("network")
\_ _ _/
\/ \/
For 1) I plan to use http://www.solucorp.qc.ca/miscprj/s_context.hc?dp=0
that describe "Virtual servers and security contexts"
a patch to linux kernel from Jacques Gelinas.
One of the added feature is to limit wich IP address a virtual server
can bind too. This mean is a server "bind" to 0.0.0.0 it will get
the only IP available to it in that context.
For 2) I have multiple option:
2a) Using separate physical ethernet for each virtual server.
This will simplify my network topology, however cost a bit more.
This is my prefered solution currently, it might offer enhanced
separation if a routing table can be attach to an interface...??? (help)
2b) Use one of the linux VLAN (802.1Q) implementation on a single
ethernet card. Then separate the traffic with a lan switch.
2c) Use a single ethernet card with multiple address on it (alias?)
and use a lan switch capable of IP SUBNET vlan (cost a lot).
2d) Use a single ethernet card with multiple address AND multiple
MAC address (already discuss somewhere on this list and in vlan one)
and use a lan switch capable of MAC address based vlan
(less difficult to find).
For 3) I need some more help from this list...
I have found this:
Can't use two links on a linux box : Two link to the internet...
http://mailman.ds9a.nl/pipermail/lartc/2000q4/000091.html
http://mailman.ds9a.nl/pipermail/lartc/2000q4/000092.html
http://mailman.ds9a.nl/pipermail/lartc/2000q4/000153.html
http://mailman.ds9a.nl/pipermail/lartc/2000q4/000156.html
I took a look at: http://kewl.phear.org/policy/
and of course at this:
@home cable modem: Separate default gateway per interface...
http://mailman.ds9a.nl/pipermail/lartc/2001q2/000736.html
http://mailman.ds9a.nl/pipermail/lartc/2001q2/000768.html
My problems...
A) I want to avoid being used as a router, I want to be a host
on each interface, this mean if I receave a packet not for me,
it must be discarded.
[What should be done for that?]
B) I want to avoid sending any kind of ICMP redirect or such.
[natural if I am not a router?]
C) I want to avoid accepting a packet going to 2.2.2.2 on eth1 or 3.
So the server should not accept a packet comming on the wrong interface.
[What should be done for that?]
D) I want that packet receaved on eth2 go out on eth2...
[This should be implicit by the way replying to IP packet work]
E) I want to be able to "ping" from 1.1.1.1 to 2.2.2.2 going accross
the network (and not staying local). This might be the most difficult,
and I have not even a clue on how local routing is archieved and
how it can be disable or modified. [NEED HELP on this one too]
Any feedback, URL, solution, answer will be highly appreciated.
The resulting solution might be incorporate into Jacques Gelinas FAQ or
yours.
David GLAUDE
